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Abstract 


‘Timed YO Automata (TIOA) i: a mathematical frame 
work for modeling and veretion of diibuted systems 
{hat lovolve discrete and cotinvous damier, TIOA can 
be wed for example, to model « real-time seftware com- 
ponent conolling a plysteal proces. ‘The THOM model 
{i sufelenly general to subsume other models in ase for 
timed stems. The TIOA tot, curently under develop 

‘ment, aimed at supporting syst development hased on 
THOM specietins. he TOA toi is an extension ofthe 
10A oot which provides a speetfation simulator: code 
[generator and both model checking and theorem proving 
Support for analcing specieations. Ths paper focuses on 
‘madelingof timed stems wih TIOA and the TAME-based 
{eorem proving support provided the oat for proving 
system properties nluding simu properties. Several ex 

samples ave prostded by way of Mustration. 


1 Introduetion 


‘To achieve high assurance inthe development of com 
plex systems. an appropiate development framework sup- 
poring system specication, implementation, ad analysis 
‘Sessa. The suppot provided by the framework should 
apply not only to hose stems that can be modeled as ite 
‘te machines buco those that cannot, such stay eal 
‘ime embedded or hyd systems stems involving ott 
‘wate and/or continous beavier, Thus anes geet de- 
Yelopment famework should provide 


1. A.mathematical model capable of cprsing he range 
‘of discrete and continuous phenomena tha aise typ- 
ical sytem, 


‘A sell defined notion ia the model of extemal (is 
‘ble beavis, and deiiton of implementation of 
‘one component by another, ce equivalence of two con 
oaent in terms of thee Vise havi 

3. Composionaity—ic, the ability to bald ager sys 
tems by composing smaller components in a manner 
that respect the notion of implementation, 

4. Usersiondy tool support for peoving the commonly 
encountered types of properties forthe models such 
invariant propetes, implementation elation and 
ality, and 

5S. A basis supporting the use of automatic analysis and 
‘her sfevare loos to the extent posible, 


‘The Timed InpuvOurpu Automaton (TIOA) toolkit [15 
‘9 euently under developmen, provides jus such fame” 
‘work, The TIOA folk, bused onthe TIOA mio (16) is 
especialy suited to the specification and analysis of eal 
tie, embedded ystems, 

‘The focus ofthis pape ison the theorem proving suppost 
provided inthe TIOA toolkit forthe analysis of TIOA spec 
‘ations. Wil a set of small examples, we state how 
‘one can use the toolkit to model ime systems and spec 
ify their properties in the TIOA language, and then verify 
the specied properties using the theorem prover PVS [28], 
tough the iatetace TAME [3 

‘The pape is oepanized as follows. Section 2 gives 
an overview ofthe Tined UO Automaton (TIOA) med! 
nd the TIOA toolkit that supports it se. Sesion 3 de- 
Scribes how one can spoify and prove ropets of TOA 
‘models snd how the TIOA toolkit supports verifying (oe 
of checking) the properties mechanically in PVS. See- 
{ion 4 presents our example TIOA specications of au- 
‘mata Sad thee propestis, and shows how the properties 
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‘Table 1. Now TAME strategies for trajectories. 


3. Overview of the TIOA proof methodology 


‘The TIOA mathematical model is wel for specifying 
timed disriutedspsems and analyzing properties of the 
stems as invariants and simulation relatons. The model 
also provides a means ofexganizng proofs of such proper 
‘es by induction over the length ofthe execution ofan au 
tomaton ino a systematic cae analysis with espect othe 
‘ction and tjectoris. Ii therefore possible fo develop 
PS strategist partly automat such proof 

‘The TIOA methodology for theorem proving involves 
(D writing the speieation of «system and it properties 
inthe TIOA language, (2) using the wansltor tot gence 
ae the PVS equivalent of the sstem, and then (3) proving 
te popes in PVS using TAME suategies (see Figure 
‘The wse describes the sjtem inthe TIOA language using 
the ste-transiion structure. The user wets simple ro- 
‘ram statements to describe wanstions and species tae 
{stories using diferemial equations. Once the TIOA de 
Scripton is type checked by the font end ofthe wool the 
ttalator generates st of PVS files, Together withthe 
‘TAME ray containing PVS definition or med VO au 
tomata and any additonal data type theories, these gener 
sted filer specify the sttomaton adits properties, The ser 
{hen uses TAME stategies developed for TIOA to prove the 
‘popes ofthe system in PVS. 

By using this approach, the usr avoids having to write 
the automaton description dietly in PS. Moreover, the 
‘easlator also pesforns the tsk of uanslating program 
‘ements in TIOA nto functional elation in PVS, and 
‘ejectois with ferential equations into tine passage ac- 
‘dons An adtonal benefit gained fom wing the approach 
isha the wer an also use oer tools inthe took 
ing the simulator, code generator and model checker. 


4 Examples 


‘This section provides the simple examples that 10- 
ster illustrate how TIOA is used to veeeseot systems nd 
‘popes, how usjectoies canbe used to capre desired 
‘ming behavior and how sssem properties cas be mechas- 
ically verifedusing PVS. The fistexample, -ischer, isa 
timed version of Fischer's mutual exclusion algorithm We 
‘se this example 19 illasate in some deal how various 
Feats of a TIOA specication, in patcua.itstajec- 
tories, te represented in PVS. We also illite how its 
‘main coreeiess propery a iavaiant ean be proved s- 
ing TAME. The second example, TwoTaskRace (pe 
Scing. ats name suggests, two task ace) is used 3 a8 
‘example in which the mn comectnss property i an ab- 
Steacton property (oewaed simulation). The ast example, 
{-Emeout representing a simple timeout system, used 0 
‘usta the suport provided for expressing and reasoning 
out complex datatypes inthe TIOA toolkit 


44 Fischer's mutual exclusion algorithm 


Fischer's mutual exclusion algorithm solves the mutual 
exclusion problem in which multiple pacesses compet for 
2 shared resource. Figure 2 shots the TIOA specication 
‘of timed version ofthe Fischer algorithm. 

In the Fischer algorithm, each process poceeds tough 
sires phases in oder to gst to the crit cad phase 
‘whore i gains access t the shared esoure. In the ale 
‘omaton used to med! the algsithm. each phase has 3 cor 
responding ston: ming is modeled in the algocitn by 
time bounds on the actions. The interesting action estes 
aye test, sot, and check. The scion sot has an uppee 
time bound, use. whi the action check has lower 
time bound Laeheck, and ueset < Tcheck. When & 
process ented the eee phase, it test whether the value 
fo ashared variable x hus bee st by any proces: fn 
the process can proceed to the next phase, se, within the 
upper time bounds zee. Inthe set phase, te process 
‘tra shared vaiable x tots index. ‘Thereafter the ro- 
cesscan procedtothe next phase check only ater 1 set 
mount of time has elapsed. Inthe check pas. te pro- 
‘cers checks to se if x contains the index ofthe process I 
Sout proceeds othe or seca pase 

"Te safety property we want to proves that nwo pro- 
esos ate simultaneously iathe ext cat phase. Wealso 
rove simpler invariants to help us prove this main iar 
nt Figure 3 shows all he invariants that we ave proved, 
‘he st arian being dhe safety prope. 

"To ilsate how the various elements of an automa- 
ton specification in TIOA taste into TAME, Figure 4 
show the TAME specification output by the TIOA0- 
‘TAME tanslator apled tothe TOA specication in Fis 
tue 2. The TAME specication has boen edited slighty 10 
‘ave space. In tbe TAME specification automaton parame 
ters are wanslated as constants and he wee clase com 
Staining the panes s expesed as an axiom named 
‘const afacts, The slate varables are represtted gs a 
fecomd ape muned states, A start. predicate is de- 
fined to he wae for states with the specified iil ales 
‘The actions of the astomstn ate declared subse ofthe 
actions datatype inthe TAME specification. A pred 
feate enabled capers the preconiton for each acon 
‘while transition function trane captures the posestate 
bined by applying the wansion of an ation ona given 
peste. In anslting the eet ofan ation ino the wan- 
‘tion function, the wanslatorpefoems explicit substitutions 
{ acondance with the program statement inthe specifics 
tion ofthe effet ofthe action in TIOA, in oxder to express 
cach state variable inthe pst state explicily in ts of the 
“ables ia te restate 

The usjctory definition x23 ia the TIOA spec- 
cation is wanslaed as time passage action sor) 
J the TAME specification which has to parame: 
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Figure 3. TIOA invariants for sicher. Figure 4. TAME representation of sche 


Figure 5. TAME icnms.5 for sicher 


Figure 6. TAME proof of Lo=e.5 In fischer 


dette, the dution of the wajectory, and. a fane- 
‘on representing the uajetory. which maps time values to 
‘ies, The defntions trai, invariant, ceas.stop, 
and Uraj_nvolve capture the invariant, topping cond 
‘on and evolve clause ofthe trajectory definition respec 
tively. The elect of the “wajectony actin” nt ra is 
constrained and ths, eetvely,capared—by the pe- 
Condition of pute}, which asserts hat (1) the ina 
nt holds thoughout he duration of the actor. (2) the 
‘Stoping condition holds only inthe lst tate ofthe ec~ 
toc) and (3) the evolution ofthe state variables sass the 
‘evolve clause, The transition function for sage tnt 
Py fetus the post-state obtained by applying the tsjc- 
{ory function F after an elapsed tine of de1t.a4-. This 
‘method of representation, adaped fiom a tchnigue of 
Tichungco 21), allons trans to be epesented ae fune- 


tion fom states and actions to states while allowing the 
sult ofa nu 255 “ston” to be nondetrminisic 

‘The new! TAME statesies in Table 1, combined with 
the existing TAME stratepes, provide ast of proof steps 
that allow the Eicher invariants shown in Figure 3 to 
be proved interactively in PVS ina clear, high-level fsh- 
fon. The TIOA-to-TAME ttlator transfor the si it 
‘ants ia Figure 3 ato TAME ovis nd lemmas num 
beted starting fom. Thus, the goal safety propet. the ast 
‘variant in Figure 3, becomes the TAME invsianema 
par shown in Figure 5, 

Figue 6 shows a vetose TAME proof of Lenina 5 
‘in Figue 5. To crete this poof, whic can be rerun ia 
PVS, the user simply types inthe eight TAME proot steps 
Inthe proof serge (autoainduct), (appl yarpecs— 
‘legsrecond} and so oa. The comments in this prot 
(hich appoa as ext after semicolons ate geerated By the 
TAME stutegies, at serve to label the poof branches and 
document the faci induced by the prof steps in these 
branches, Because TAME automatically handles “Wvil” 
cases only the poo sepsfequiing human guidance need 
to be recoded. This proof can be understood as foo: 
‘The roo! sep auto ainduct automates a ft 38 possi 
ble the standard initial sips of prot by induction on 
the eeachable stats, including skolomizaion. The val 
es with names ending in"_tneoren” or"-action”are 
Salem constants standing for variables ia the lemma and 
parameters inthe cument action, respectively. ‘The name 
restate refers othe peste ofthe cutest ation, and 
the values of tate variables in any state are represented 
‘functions of 2. ‘The bave case and all the action estes 
icept nu tray (deitet action, Faction) and 
Grit (igaction) ae Wivial The nutes) (del 
Leseeaction, Fasct ion) ease is rove by weclling 
the il precondition Wit spp ty-2peesficwprecond, 
nd hen using the new TAME step tza-evoive in Tis 
ble 1 to compute what the cate state wil be afer ime 
detta.tsact ion. Once tis is done, only “obvious” ra 
Suing is needed, which is performed by ezysisp. The 
poof in the cese (gsction) ease fst seals the pe- 
ondiion and thea uses appyetnvalenne 1 apply 180 
‘arlier invariant lemmas to appropeat instances of thet 
‘quantified variables. The, only “obvious reasoning with 
eyes owed to compete the proof. 


42. A two task race 


‘Tae two-task ace system ace Figure 7 for its TIOA de- 
seston) increments 3 variable 2ount eepetely, within 
(SE and 22 time, 21 < 2, ual iis inlerupod by & 
Set ation Ths set action can occur between b2 and 
22 time from the sat, where b2-<b2. After set, 
the value of count is decremented (very [22,2] time) 
anda report action is uiggered when count reaches 0. 


Figure 8, sworsskRacespec in TOA 


‘We want to show thatthe tine bounds on the occurence 
of the report action ate lower bound: £42 < BI 


then in (blyal) + ABESSI*ad wise at, and 


upperbound: b2 + 22 + P2522, This propery is peoved 
Dy specifying an absuact auton TwoTaskRacespec 
‘which performs a reper ation within these hounds sce 
Figure'8) and defining a forward simulation elation from 
TuoTaskRace to TwoTaskRacespec (ce Figue 10) 


Figure 9. tvoraskacespec trajectories in 
TAME, 


‘The abstract automaton TwoTaskRaceSpec has 160 
tmietories: preaceport and postareport. The 
TAME represeniaion of TwoTaskRacespec (see Fis- 
te 9) ilstrates how the translator represents multiple ta 
jectoies in TAME: the preconditions in enabied and 
Postonditions in eran ate expressed ideally, while 
the details ofthe ujetories ate captured in separate cases 
intrajainvariane,trajestop,and trajgvorve 
‘The TIOAto-TAME trtslatoe transforms the TIOA 
specification ia Figure 10 ofthe frwatd simulation re 
‘dm into the PVS theory in Figure 11 that asserts (at 
theorem to be peoved) the propeny fazwardae 
‘Lon. The thoy in Figue II follows the TAME template 


10. Forward simulation trom 
TwoTaskRace tO TyoTaskRaceSpee 


Figure 11. Simulation relation in TAME 


Figure 12. 1worask8ace invariants 0-4. 


{or formulating absuation relations between automata de- 
scribed in 26). The theory forwardueimslatsen in 
posed ia Figue II just before the saement of the theo- 
‘em provides the generic definition in PVS ofthe propery 
Forvardeimulat ion stating what it mean fo 3 1e- 
lation between two avtomta to be a forwatd sitmlation 
‘The PVS formulation ofthe forward sinulation prope is 


Figure 13. Proof of tyoraskace invariant 4. 


based on the definition in [24]. The proof ofthis propety 
forTwotaskRace and TwoTaskRaceSpec use inath- 
nts of bh toma 

‘The invransof TwoTaskRace and TwoTaskRace— 
‘spec needed forthe forward simulton poo have ll 
boon proved ia TAME. The proofs of these iavaiants 
aye all quite simple, infact, all of the ivaians neoded 
for Tuotasktacespec ate proved automatically bythe 
TAME induction stategy guto_incisct. The pools af 
few ofthe invaints for TwoTaskRace ae ineresting 
because they state the use of the new TAME stategy 
desdi inereazon, which was no ued inthe inatl 
fant proof for FLscher. One such invariant is invasiant 
‘Fil Figure 12, whose TAME prot is shown in Fite 13. 
Invariant esseaially says tha inthe TIOA model of 
‘TyoTaskRace, the ewe tne now canaot pass beyond 
the deadline 1a2¢.nain. In this prof, sutosinduce 
fs determined thatthe base case and four ofthe ve pos- 
sible ation eater are nontivil, ‘The enix of this poo 


is the reasoning in she single ime passage case, name 
the section ease nu.tra} (deite.t act son). Aller us 
ing spply speci fic.precond and apply #350 
vote io compute the state after ime dete + action 
and using apply-inv-Lenma to we invariant 1 to 6 
{ablsh that sow >> Ca the begining of the wajecory. 
the new TAME step deal ine_reacon argues that nev 
‘<= Zast main atthe end of the trajectory. The sep 
{ey.simp then completes the proof with "obviods re 
soniag™ The remaining cases ae easily proved using 
“obvious reasoning” following, in some cass, the wse of 
const_facts to invoduce facts about the constants in 
the specication 

‘TAME also provides strategies fr establishing absrac- 
tion telations between automata, including forward smi 
lation. Forward simulation proofs have a high-level strc 
tuge similar to the sincture of induction peots of in 
‘vatans: however, ther than beginning wih the root 
Sep sutocinauct, they begin with the proot step 
provestwd.eim. Formore deals, sce (26) 


43. A simple timeout system 


A simple timeoue system consists of sender, dey 
one channel, and a receiver (ee Figuee 14 for is TIOA 
‘escrition). The sender sends messages to the receiver, 
‘wih time after the previous message hs been seat 
A tined message Queue delays the delivery of each 
‘message by at most > ime. A failure ean occur a any ie, 


Figure 14. TIOA description of ::=sou 


after which the sende stops sending. The eeceivertimes out 
ter not receiving a mesa fra eas 2 time 

‘We ae interested in proving the evo following prper- 
ties fortis system (1) Safety A meout occurs only after 
2 flue has occuted: (2) Timelines: A timeout ecus 
‘within u2 + time after flue. The safety propery can 
te captured by an invariant ofthe system A in the two 
task race example, to show the timeliness, we Hist erate 
sn abractauiomatn tha toes out within 2 = time of 
‘occurence of failure, and then we prove a forwacd sim 
‘lation from the system is abstaction. Both the safety 
nd ineliess properties have been proved using the TAME 
Strategies n'a manner analogous to the variant and for 


types and operators used in © neou. 


Figure 16. Sample PVS definitions of custom 
data types and operators used in neous. 


ward simulation prot in the previous examples, with one 
‘extra complication: the nse 0 intoduce knowledge about 
Special data types eee win the TIOA specifications. 

“The timeout system makes use ofa eustom data type 
timednessage queue. TIOA providera vocabule 
Fy aya to allo the usr to detlre custom da types 
and operators. Figure 15 shows ow the dita type for 
Uimedinessace queue andthe associated operators are 
declted in TIOA, The actual PVS definitions ofthese types 
land operators ate povided as part ofa TIOA Hat of data 
type teorier; Figure 16 shows a sample of these defn 
‘ons. Aside fom the PVS operate en? (which imple- 
‘ments the TIOA operator end-a for querying whether 2 
Uimednessagevqueue isa nonempty queue). the PVS, 
‘vocabulary i identical tothe TIOA vocabulary. Propetes 
‘ofthese datatypes have been proved in PVS, and have been 
‘sein roots ofthe specification properties. 


5. Discussion 


Developing theorem proving support. Our approach to 
developing appropiate theorem proving suppodt for TIOA 
{sto study many examples of TIOA specifications and thee 
‘opeties and identify what is needed for implementing 
2 standard, staightorward set of proof steps sfiient to 
‘echanize proofs of the properties. One lesson We have 
Teanod is tat the details ofthe specification emp hat 
4 anslatoe wo PVS targets, if chosen caefly ean greatly 
fact the implementation of PVS strategies. Deals of 
{he TAME template fr TIGA that have proved helpful for 
"Mategy development include the overall chen fo repe- 
‘oti trajectories ilustated in Figure 9 and the scheme 
for representing the start state predicate 28.02 (2) a6 an 
quality ofthe form =... possibly in conjunction 
‘with addtional esvictons (Se, for example, igue 4). 
‘Another dtl of our ransation scheme isthe wef syn 
‘bolic computation, if necessary: to permite effets of was 
sitions, which are defined in TIOA asthe elect ofa se- 
{quence of computations to be reeesete in eran by ex 
plicit uplates to state variables. This allows the theorem 
‘over to reason diet about ew state values oF individ 
{a variables wit es efor. 

‘One gol in developing suppor for interactive there 
roving is 0 fnd minimal set of poof sep that re nat 
{al Yo se in high lve reasoning and that ae sufficient 
{or neay so) for mechanizing proofs of properties. Study- 
ing many examples has helped usin this fegae Fr exam 
ple, we observed tat many proofs nclded the observation 
{hate cannot pass beyon! a given deudline unless some 
dlscrete action occurs, This observation lust include 
dead ine_reason among out 2 of pro! tps. 


‘Mechanlzing proofs. The theorem proving support we 
ate developing for TIOA doesnot make mechanizing pools 
(of properties auiomtic, but it does make it simple. A 


user who wishes to prove properties of  TIOA specifics 
‘ion using TAME must in general be a domain expee for 
the system modeled in TIOA. To prove the desied safety 
oe simulation propris, the user often must stad an 
appropriate st of suppoting lemmas. Doing this may re 
‘que some creativity: some guidance on how to go about 
5X can be found in [24] The user must also be able 10 
Sich out at high level why. based on the se of sup- 
poring lemmas, a given property is expected 1 bald. To 
Produce a mechanical poof of the propery the user then 
an apply TAME reasoning tps that match tis high evel 
reasoning. Typically, this can be done using steps such 
Ss const facts, applyiinv tenn, apply spe 
Gkfeprecond, dead! inesreason, and S00 (0a 
twoduce the faes appealed o in each nontivial ease ia the 
prof shotch, andthe ivoking t=yarine 10 do the “ob 
‘ius reasoning based oa these fact 

‘While its good a havea mechanical check ofa proofs 
‘aii iis equally important o have some feedback on 
‘what went weong if the mechanical check fas. Fo fled 
[roos, TAME provides some useful feedback the saved 
TTAME proof script can be used to detect the place inthe 
pro! where the prof beaks down. The wer can then 
‘iw the high evel reasoning 1osce whether thet isan ear 
vif aoducing additonal acts ean complete the root 


Scalability. We have begun experimentation with using 
the TAME suppor for TIOA oa lager examples, Our fist 
larger example ste Small Alcrat Trae System protocol 
[SATS developed at NASA Langley. An abstract model af 
this system has ben defined in (8). An TOA version ofthis 
‘model hasbeen represented and vere in PVS (29). We 
have used the TIOA-to-TAME translator to represent the 
JOA model in TAME, and have begua redoing the proofs 
ting the TAME states. 

‘The SATS example has raised an issue that is Ukly 
‘o aie in many lage examples: the use by speiirs of 
‘mult-lajred deitions of application specie functions 
nd predicates. One way 10 manage the many defiaition 
expansions for roo efficiency would be 10 expand thm 
{in ayers tallow reasoning to proceed atthe highest pos- 
She TajetA goal forthe walt sto generate “oval 
Strategies" fora specific aplication that group definitions 
by laer A scheme ofthis sot is wen the SCR-to-TAME 
translator to increase the efficiency ofthe TAME strategies 
that support easoning about SCR automat (3). 


6 Related work 


Previous work has been performed to develop tools 
to tnslte specifications writen inte TOA language to 
the language of various theorem provers, for example, 
Late [6 10}, PVS [9], and Isabelle (30, 27], Our ipl 
‘mentation ofthe TIOA to PYS tanalator described in (20) 
wuld upon (6, The target PV specications ofthis ans- 


lator stongly resemble TAME specifications. In ation, 
analy vesion of TAME’s deadline reason salegy 
‘was implemented asthe PVS stuegy doadLine-check 
escibed in (20), The TIOA.to-TAME wana essen 
tally aversion ofthe TIOA-to-PVS translator of [20] with 
‘modiiations that allow the suaightforward implement 
‘on of new TAME sategis fr TIOA and the most ef 
fective use of existing TAME suateyies. A more complete 
escriton ofthe recent movements made tthe wan 
‘on scheme and stateves described i [20] en be ound in 
[U9]. tn [2] a slightly dsternt approach using urgency 
predicates insicad of stopping conditions or variants to 
Timitwajectories is wsed to desebe ined UO automata 
‘An approach to peoving invariant properties of timed LO 
‘automata using urgency predicates is described, but bo tool 
Suppor. A proposed design for supporting urgency pred 
‘as inthe TIOA toolkits given in [3 


7 Conclusion 


‘The TIOA framework is timely intended to sup- 
‘por all phases of system development from specication, 
{rough verication and validation, to iniplementation. In 
this paper, we hive facsed on the usability of the TIOA 
Tramework for modeling and mechanical vesication of 
‘popes of timed systoms with both discrete and eontin- 
‘ous transitions. We have described the theorem proving 
Suppoe provided and ilustated how itis wedi examples 
‘where the properties of interest ate ivatian properties or 
Simulation properties, and wheve the model iavaive now 
tava data ype. 

Our pan forte ures experiment with more complex 
examples, suchas SATS or the Dynamic Host Configure 
‘on Protocol DHCP (using models based onthe work de- 
scribed in [3] 0 explore extensions and impeovernent to 
ur prot supped. 
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